name: Build and Push on: push: branches: - main - develop tags: - 'v*' jobs: build: runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v4 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 with: cache-binary: false - name: Determine image name and tags id: meta env: # Pass context values through env so the workflow templater does not # interpolate them into the script body (prevents shell injection via # attacker-controlled ref names). Shell vars below are NOT templated. REF_TYPE: ${{ gitea.ref_type }} REF_NAME: ${{ gitea.ref_name }} REPOSITORY: ${{ gitea.repository }} SHA: ${{ gitea.sha }} REGISTRY: ${{ vars.REGISTRY }} run: | # Image names must be lowercase; lowercase the full owner/name path. IMAGE="${REGISTRY}/$(echo "$REPOSITORY" | tr '[:upper:]' '[:lower:]')" echo "image=${IMAGE}" >> "$GITHUB_OUTPUT" if [ "$REF_TYPE" = "tag" ]; then # Reject tags that aren't clean semver-ish refs. case "$REF_NAME" in v[0-9]*) : ;; *) echo "Refusing to build non-version tag: $REF_NAME" >&2; exit 1 ;; esac echo "is_release=true" >> "$GITHUB_OUTPUT" echo "version=$REF_NAME" >> "$GITHUB_OUTPUT" else SHORT_SHA="$(echo "$SHA" | cut -c1-8)" echo "is_release=false" >> "$GITHUB_OUTPUT" echo "version=dev-${SHORT_SHA}" >> "$GITHUB_OUTPUT" fi - name: Log in to Gitea registry if: steps.meta.outputs.is_release == 'true' uses: docker/login-action@v3 with: registry: ${{ vars.REGISTRY }} username: ${{ secrets.REGISTRY_USER }} password: ${{ secrets.REGISTRY_PASSWORD }} - name: Build and push release image if: steps.meta.outputs.is_release == 'true' uses: docker/build-push-action@v5 with: context: . push: true tags: | ${{ steps.meta.outputs.image }}:${{ steps.meta.outputs.version }} ${{ steps.meta.outputs.image }}:latest - name: Build dev image (no push) if: steps.meta.outputs.is_release == 'false' uses: docker/build-push-action@v5 with: context: . push: false tags: ${{ steps.meta.outputs.image }}:${{ steps.meta.outputs.version }}